rmdir command issued during Windows 98SE boot sequence

Unfortunately, I am sharing a single user Windows 98SE PC with others who always swear, they never did anything when things go wrong. After removing i.exe, a Trojan Horse downloader successfully with AVG 6.0 free edition, build 639 (3/22/04), suddenly the message:

C:\rmdir C:\WINDOWS\TEMP\_ISTMP5.DIR\_ISTMP0.DIR
Invalid path, not directory,
or directory not empty

C:\>

which occurs after Windows 98 loads and right before the desktop is loaded and displays. I did a step-by-step boot by holding F8 down and saw nothing out of the ordinary. I do not know what issues the rmdir command described above, only that is being issued after all the drivers have been loaded. But then, goind to the C:\WINDOWS\TEMP directory, I find 5 of these strange subdirectories:

None of this exists on a parallel Windows 98SE PC and my attention to these folders and files was only drawn to it by the above mentioned failing rmdir command, the failure of which is prominently echoed at each boot, because there apparently is no _ISTMP0.DIR subdirectory inside of the _ISTMP5.DIR directory. The only other weird files I could not find by comparison on my parallel Windows 98SE PC are strange .exe files in the root directory, which also worry me: There is link.exe, gd.exe and best.exe and they have just the DOS executable program logo, no information whatsoever and recent dates. Then there is HXDLAZWM.exe with a weird yellow spiral logo and ss_IGN7_setup.exe with a logo with a tiny PC, a tiny white horse on a black background, a CD shown in front with a tiny open box to the right. My suspicion is that these files should for starters not be in the root directory at all and that they probably left-overs from previous clean-ups, viruses, Trojan Horses, installed crap or the like. I have not re-installed Windows 98SE on this PC since 9/03/03, hence there could be a lot of trash.

1) What issues the above rmdir command?
2) How can I stop it?
3) Are these _istmpx.dir directories and these strange files of any importance, or can they be deleted? Is there a risk in deleting them?
4) Are the unidentified .exe files in the root directory valid, invalid, or even a risk, so that they should be removed?

The rmdir command removes each requested directory.
Each directory must be empty for rmdir to be successful.

Have you checked autoexec.bat, msconfig?

Anyway you do have loads of adware/spyware cleanup to do.

BEFORE anything else:

Get Ad-Aware 6.0, Build 181 or later, here:http://www.lavasoftusa.com/support/download/. Update and run this regularly to get rid of most "spyware/hijackware" on your machine. If it has to fix things, be sure to re-boot and rerun AdAware again and repeat this cycle until you get a clean scan. The reason is that it may have to remove things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy available here:http://security.kolla.de/
I recommend using both normally.
After fixing things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until you get a clean "no red" scan. The reason is that SpyBot sometimes has to remove things which are currently "in use" before it can then clean up others.

Once you get this cleaned up, you might want to consider installing the SpywareBlaster and SpywareGuard here to help prevent this kind of thing from happening in the future:

http://www.wilderssecurity.com/spywareblaster.html
Prevents malware Active X installs.
SpyWare Blaster is not memory resident ... no CPU or memory load - but keep it updated.
The latest version as of this writing will prevent installation or prevent the malware from running if it is already installed, and it provides information and fixit-links for a variety of parasites.

Unfortunately, I did most of this... I have AdAware and SpyBot installed, as well as AVG and meticulously keep them at the latest build (I check daily for updates and install them). This is the only line in my autoexec.bat file:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

and I therefore suspect that I interrupted AVG during the removal of some of that crap I listed in my original question, hence, the rmdir command may be passed as an argument to that bootup.exe file. But I am not sure, the rmdir command may be issued later - is the autoexec.bat file the absolute last thing being executed before the desktop is displayed?

Also, AVG, AdAware & SpyBot all finish clean, meaning that the few questionable TEMP subdirectories as well as those questionable .exe files in the root directories are now still there after I ran everything 3 times after fresh boots - what is your opinion about removing all that manually?

Your temp stuff can be removed manually - sure.
You might just try sliding .0 under .5 so that maybe this cleanup script will be able to complete successfully.

Otherwise, try Start->Run->MSCONFIG and see if you can find anything there.
You might also try Start->Run->Regedit
and navigate to
HKEY_Local_Machine\Software\Microsoft\Windows\Currentversion\Run
and
HKEY_Current_User\Software\Microsoft\Windows\Currentversion\Run
(possible check other variations of Run as well (Run-, RunOnce, etc)).
If you find the item there, you can either delete it or export it first (from the file menu) and then delete it...

That clean-up script somehow got stuck - I suspect, either I or one of those Einsteinian room mates of mine interrupted AVG in a panic, then rebooted, and the subdirectory was deleted, yet the scipt did not get to complete the first time. I think this because autoexec.bat has only this one line to execute AVG, and I suspect the clean-up script is passed to it as an argument. I also religiously run msconfig, followed by regedit and clean all RUN- keys out after deleting them from Startup. On a second boot, AdAware and SpyBot always get all the remaining keys, hence, the crap that's laying around must be from incomplete or poorly executed clean-up procedures.

What is your opinion about link.exe, gd.exe, best.exe, HXDLAZWM.exe with a weird yellow spiral logo and ss_IGN7_setup.exe as described above, which in my opinion should not be in the root directory, even if they were valid files - should I simply delete them? The TEMP directory is one thing, but I sure would not like to screw something up in the root directory...

I thank you very much for your tips. It seems, however, that you guys are a little bit in each other's hairs, which means I'll have to split the points. Now, I'm not in your league with this subject matter, because I am from another discipline, where quantitative analysis does not leave me all that much time to be up to snuff on everthing else, so I apologize for being a little naive here.

SUMMARY

The bottom line is, what you both said, was quite accurate, I just finished extensive tests of the many software packages on this PC and they all did not need any of these .exe files. A program called best.exe without any properties information, sitting in the root directory, would make me nervous in any case - I renamed and moved all of this garbage to another location and so far, no program is missing it. In my book, it all goes down as leftover spyware garbage and I thank you particularly for the tip to install SpywareBlaster, which makes a real difference and works well with the free ZoneAlarm. As discussed, I'm using this along with the latest builds of the free AVG 6.0 anti-virus, AdAware 6 and SpyBot.

Thank you for your comprehensive comments and I'm really glad you found the answers useful.

I'm sorry the dialogue between me and sirbounty lead you to a misinterpretation of the situation. Please believe me there was no bad intentions or hard feelings towards sirbounty in my comments and I'm sure he feels the same.

One of the reasons EE works so well is exactly the competiton between experts that usually ends with answers that do help askers solve their problems.

C:\rmdir C:\WINDOWS\TEMP\_ISTMP5.DIR\_ISTMP0.DIR
Invalid path, not directory,
or directory not empty

C:\>

still appears, despite a clean uninstall with removal of the entire grisoft directory & subdirectory tree, empty autoexec.bat and empty config.sys file. It is a complete riddle to me, from where the rmdir command is issued, but the only executable statement is the new one and only line in my autoexec.bat file:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

and I have no idea, what or how the rmdir command is still being passed to boot.exe and would appreciate what else I could do besides this complete re-install - thanks.

Well, I'm no expert, so I worry and do things thoroughly - there was nothing in the autoexec.bat file at all while I rebooted before the clean re-install of AVG and I did not see the message. But once I installed the latest build of AVG 6.0 free edition, the line

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

was placed once more into the normally empty autoexec.bat file. I was stunned to see the rmdir command reappear - from where? The uninstall was ultra-clean - there were none of the ususal leftovers like an empty Grisoft directory tree in Program Files - all references to Grisoft were gone, and so was the above line in the autoexec.bat file. I saw nothing in the Run- keys in the registry either, nor any reference to AVG or Grisoft in Startup or the file system in general. Where could that script have come from? Or is it possible that there is a switch set from a leftover cleanup problem that causes even the newly installed AVG 6.0 to think it has to issue that rmdir command? I would do another clean uninstall and then check again by hand if there is any reference to anything left over, but I have done that already and it would make only sense, if there is a clue what else I could remove. Maybe I should do the complete uninstall again, but this time run in between AdAware and SpyBot in succession 3 times after 3 fresh boots and see if there may have been some spyware remains that cause the new AVG to think it has to reissue that rmdir command. This is really weird, especially because I removed all these _istempx.dir files long ago AND they never reappeared - what do you think?

Ah - looky here - seems like I did not pay attention... rem-ed out the autoexec.bat line and STILL got the rmdir command - therefore, what is running after autoexec.bat is executed and just before the desktop is being displayed? My conclusion is that I did not pay attention and got that message even during the one-time boot while uninstalling AVG, and before and after continued to attribute it to incorrectly to AVG. But it may be something else - I can clearly see the rem-ed out statement echoed by the execution of autoexec.bat, then there is a pause and, of course, no boot virus check, and then that rmdir message appears just before the desktop does - hence, we're still in DOS under Windows 98SE - so, what else could be issuing that command?

Re your suspicion: "Probably, and I'm guessing, that command is intended to clean the temp folder created during the install of AVG." - I have to disagree, because the rmdir message started after a cleanup a few days ago (around 3/17/04) and I had NOT reinstalled AVG since September 22, 2003 at this time. I only subsequently reinstalled AVG with a build of 3/22/04, but by then we were already trying to solve for what caused that rmdir message.

If you go for step-by-step, you need to confirm every startup command. Doing carefully and reading each command may lead you to find the culprit. A trial and error statup test will also help (saying no to the "suspicious" commands and checking if the error message persists).

A logged startup will create a bootlog.txt file in C:\ that you can read and analyse.

This thing is turning into a bitch... First, there is no start.bat in the entire file system. Secondly, step-by-step booting does NOT reveal who or what is issuing the rmdir command - it is just being issued in a DOS prompt environment - and there is not a single refernce to the string "rmdir" in bootlog.txt - so, it's a command from HELL!

On a calmer note, I'm beginning to wonder what else could execute so close to the desktop being displayed - maybe that is a clue for specialists like you - the rmdir command appears to come a little late, kind of like long after autoexec.bat finishes executing, and only a second before the desktop displays...

Since Spyware Blaster is always on, I totally uninstalled and re-installed that, too, but that didn't help. I also didn't change anything, the same programs are in startup as before the rmdir message began, and I run AdAware and SpyBot on demand only. Could the free version ZoneAlarm 4.5.x issue a rmdir command at boot?

Could something sit in the registry, or a key be set to issue that command?

Well, if it's in the registry - then you can perform a search for rmdir - shouldn't be too many instances of it, if any - hopefully just one. ;)
Do a search of your hard drive for all .BAT files...
One other BAT files is lingering in the back of my mind that might run at that point, but I don't recall the name...

The winstart.isk file referenced above is not on the file system, as this command seems to force it to be renamed to winstart.bat anyway, which it is.

Since the date coincides with my build 639 of AVG 6.0 free Edition, it looks as if AVG is the source of this. Other than these 3 there is only dosstart.bat with an old date to run my Logitech mouse and autoexec.bat with that 1 line to run AVG as stated before. The only other .bat files are those 3 and they all have the date of 3/24/04, a day after the build of the new AVG. Can I simply delete all 3 of them? I am just somwhat confused why these conditional delete commands do not seem to execute and why all 3 of these files sit around. The only thing that is for sure is that winstart.bat still executes evey time I boot. What should I do - should I leave it there empty, or can it be removed?

I first removed all 3, but then saw on my vanilla copy/backup PC that the 3/22/04 build 639 of AVG 6.0 Free Edition left in that C:\WINDOWS directory the conditional tmpdelis.bat without me having ever had a virus or any istmpX.dir directories on that machine - because I keep it disconnected and use it only locally to print long jobs or for long calculations, or for emergencies to compare PCs. The reason I think AVG put these .bat files there is because I have only AVG running on the second PC - no AdAware, SpyBot, SpywareBlaster etc., because it stays disconnected, and that file appeared the day I updated AVG, before contacting you.

How do you read the logic starting with tmpdelis.bat - should tmpdelis.bat maybe ALWAYS stay in C:\WINDOWS, or would tmpdelis.bat again be recreated if AVG encountered an istmpX.dir subdirectory structure?

Obviously, one cannot see the AVG source code and whether they thought of one or more of such permanent prophylactic .bat files, but I tend more toward leaving tmpdelis.bat there than removing it - also, I could leave all 3 there and merely empty winstart.bat - what do you think?

I read tmpdelis the same way as you do, therefore, I find no answer why tmpcpyis does even exist (remember, all 3 .bat files were neatly in the C:\WINDOWS directory, hence, there is no way that they did not see each other...).

For the last 2 days, I have removed all 3 of them, and will now re-install tmpdelis the same way as AVG seems to have done it on PC#2 (with the same commands, by the way), because I suspect this to be what that later build of AVG 6.0 intended. I see no harm in tmpdelis being there and since this is the free version of AVG, I cannot ask questions. So, you will hear only from me again, if this causes something dramatic to happen. If this causes me to miss a virus or spyware within the next 2-3 weeks, I will post accordingly here.

This was weird stuff and I thank you very much for your patience and help!

Featured Post

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

If you get continual lockouts after changing your Active Directory password, there are several possible reasons. Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.

In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …